diff options
| author | gjb <gjb@FreeBSD.org> | 2014-06-27 22:05:21 +0000 |
|---|---|---|
| committer | gjb <gjb@FreeBSD.org> | 2014-06-27 22:05:21 +0000 |
| commit | fc21f40567ac7485e9e987cf5a539bd0d11c7155 (patch) | |
| tree | fce5301b062a855bc68b9cb76c6b5966c5a2acbe /sys/security | |
| parent | 2f456747e010bfa5a9dd3498aa5650e0ade39f22 (diff) | |
| download | FreeBSD-src-fc21f40567ac7485e9e987cf5a539bd0d11c7155.zip FreeBSD-src-fc21f40567ac7485e9e987cf5a539bd0d11c7155.tar.gz | |
Revert r267961, r267973:
These changes prevent sysctl(8) from returning proper output,
such as:
1) no output from sysctl(8)
2) erroneously returning ENOMEM with tools like truss(1)
or uname(1)
truss: can not get etype: Cannot allocate memory
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 19 | ||||
| -rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 3 | ||||
| -rw-r--r-- | sys/security/mac_ifoff/mac_ifoff.c | 12 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 16 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 9 | ||||
| -rw-r--r-- | sys/security/mac_portacl/mac_portacl.c | 14 |
6 files changed, 50 insertions, 23 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index b5bf8c3..375b8a3 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -100,36 +100,43 @@ SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD, &biba_label_size, 0, "Size of struct mac_biba"); static int biba_enabled = 1; -SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RWTUN, &biba_enabled, +SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &biba_enabled, 0, "Enforce MAC/Biba policy"); +TUNABLE_INT("security.mac.biba.enabled", &biba_enabled); static int destroyed_not_inited; SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); static int trust_all_interfaces = 0; -SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN, +SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD, &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba"); +TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces); static char trusted_interfaces[128]; -SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN, +SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD, trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba"); +TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, + sizeof(trusted_interfaces)); static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS; SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD, &max_compartments, 0, "Maximum supported compartments"); static int ptys_equal = 0; -SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RWTUN, &ptys_equal, +SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal, 0, "Label pty devices as biba/equal on create"); +TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal); static int interfaces_equal = 1; -SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW, &interfaces_equal, 0, "Label network interfaces as biba/equal on create"); +TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal); static int revocation_enabled = 0; -SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, &revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled); static int biba_slot; #define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot)) diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index 377fd25..ccbc525 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -76,8 +76,9 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, "TrustedBSD extended BSD MAC policy controls"); static int ugidfw_enabled = 1; -SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, &ugidfw_enabled, 0, "Enforce extended BSD policy"); +TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled); static MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c index 28097b5..7165f90 100644 --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -66,21 +66,25 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0, "TrustedBSD mac_ifoff policy controls"); static int ifoff_enabled = 1; -SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW, &ifoff_enabled, 0, "Enforce ifoff policy"); +TUNABLE_INT("security.mac.ifoff.enabled", &ifoff_enabled); static int ifoff_lo_enabled = 1; -SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW, &ifoff_lo_enabled, 0, "Enable loopback interfaces"); +TUNABLE_INT("security.mac.ifoff.lo_enabled", &ifoff_lo_enabled); static int ifoff_other_enabled = 0; -SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW, &ifoff_other_enabled, 0, "Enable other interfaces"); +TUNABLE_INT("security.mac.ifoff.other_enabled", &ifoff_other_enabled); static int ifoff_bpfrecv_enabled = 0; -SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, &ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface " "is disabled"); +TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &ifoff_bpfrecv_enabled); static int ifnet_check_outgoing(struct ifnet *ifp) diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index cf66423..b2b9f74 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -101,28 +101,34 @@ SYSCTL_INT(_security_mac_lomac, OID_AUTO, label_size, CTLFLAG_RD, &lomac_label_size, 0, "Size of struct mac_lomac"); static int lomac_enabled = 1; -SYSCTL_INT(_security_mac_lomac, OID_AUTO, enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_lomac, OID_AUTO, enabled, CTLFLAG_RW, &lomac_enabled, 0, "Enforce MAC/LOMAC policy"); +TUNABLE_INT("security.mac.lomac.enabled", &lomac_enabled); static int destroyed_not_inited; SYSCTL_INT(_security_mac_lomac, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); static int trust_all_interfaces = 0; -SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN, +SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RD, &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/LOMAC"); +TUNABLE_INT("security.mac.lomac.trust_all_interfaces", &trust_all_interfaces); static char trusted_interfaces[128]; -SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN, +SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RD, trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/LOMAC"); +TUNABLE_STR("security.mac.lomac.trusted_interfaces", trusted_interfaces, + sizeof(trusted_interfaces)); static int ptys_equal = 0; -SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal, 0, "Label pty devices as lomac/equal on create"); +TUNABLE_INT("security.mac.lomac.ptys_equal", &ptys_equal); static int revocation_enabled = 1; -SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RW, &revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled); static int lomac_slot; #define SLOT(l) ((struct mac_lomac *)mac_label_get((l), lomac_slot)) diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 6a074d0..d7ca5a5 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -101,20 +101,23 @@ SYSCTL_INT(_security_mac_mls, OID_AUTO, label_size, CTLFLAG_RD, &mls_label_size, 0, "Size of struct mac_mls"); static int mls_enabled = 1; -SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RWTUN, &mls_enabled, 0, +SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, &mls_enabled, 0, "Enforce MAC/MLS policy"); +TUNABLE_INT("security.mac.mls.enabled", &mls_enabled); static int destroyed_not_inited; SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); static int ptys_equal = 0; -SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RW, &ptys_equal, 0, "Label pty devices as mls/equal on create"); +TUNABLE_INT("security.mac.mls.ptys_equal", &ptys_equal); static int revocation_enabled = 0; -SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RW, &revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.mls.revocation_enabled", &revocation_enabled); static int max_compartments = MAC_MLS_MAX_COMPARTMENTS; SYSCTL_INT(_security_mac_mls, OID_AUTO, max_compartments, CTLFLAG_RD, diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 17427ee..1dbd199 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -87,21 +87,27 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, portacl, CTLFLAG_RW, 0, "TrustedBSD mac_portacl policy controls"); static int portacl_enabled = 1; -SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RW, &portacl_enabled, 0, "Enforce portacl policy"); +TUNABLE_INT("security.mac.portacl.enabled", &portacl_enabled); static int portacl_suser_exempt = 1; -SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW, &portacl_suser_exempt, 0, "Privilege permits binding of any port"); +TUNABLE_INT("security.mac.portacl.suser_exempt", + &portacl_suser_exempt); static int portacl_autoport_exempt = 1; -SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RW, &portacl_autoport_exempt, 0, "Allow automatic allocation through " "binding port 0 if not IP_PORTRANGELOW"); +TUNABLE_INT("security.mac.portacl.autoport_exempt", + &portacl_autoport_exempt); static int portacl_port_high = 1023; -SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RWTUN, +SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW, &portacl_port_high, 0, "Highest port to enforce for"); +TUNABLE_INT("security.mac.portacl.port_high", &portacl_port_high); static MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl"); |
